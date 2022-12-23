



LastPass makes a big splash with their latest announcement regarding the recent data breach. The company, which promises to keep all his passwords in one safe place, says hackers were able to copy backups of his data into customer vaults. To all those passwords (via TechCrunch) if you can crack the stolen vault.

If you have an account that LastPass uses to store your passwords and logins, or if you had an account before and didn’t delete it until this fall, your password vault is in the hands of hackers. There is a possibility. Still, the company claims that with a strong master password and modern default settings, you may be safe. should consider changing their passwords to minimize the risk.

This may mean changing passwords for all trusted websites that LastPass stores.

LastPass claims that your passwords are still protected by your account’s master password, but given how they handled these disclosures, it’s hard to take that word for now.

When the company announced the breach in August, it said it did not believe user data had been accessed. Then, in November, LastPass announced it had detected an intrusion, apparently because he relied on information stolen in the August incident (between August and November he I wish I had heard about that possibility). This intrusion allowed someone to access certain elements of customer information. These specific elements have turned out to be the most important and secret elements that LastPass stores. The company says it has no evidence that unencrypted credit card data was accessed, but that may have been preferable to what the hackers actually escaped. At least it’s easy to cancel one of his or two of her cards.

Your vault backup was copied from cloud storage

A little bit about how it all went down, LastPass CEO Karim Toubba had this to say about the stolen vault:

The attackers were also able to copy backups of customer vault data from encrypted storage containers. This storage container is stored in a proprietary binary format that contains both unencrypted data such as website URLs and fully encrypted sensitive fields such as website usernames. Passwords, secure notes, form-filled data.

Toubba says the only way a malicious actor can get to that encrypted data, or password, is through the master password. According to LastPass, they never accessed the master password.

So, unless you have a really good Master Password that you’ve never reused (and the way LastPass encrypts your data isn’t technically flawed), don’t try to brute force your Master Password. is very difficult. However, the company has made some pretty basic security errors before.) But anyone with this data could try to guess a random password to unlock it. This is also called brute force.

LastPass says that using the recommended defaults will protect against this type of attack, but it’s worth trying to unlock your vault over and over again over days, months, and years. I’m not mentioning any feature that would prevent . It may have leaked during other data breaches.

Also note that if you have an older account (before the new default settings introduced in 2018 or later), a weaker password strength process may have been used to protect your master password. please. LastPass says it currently uses a stronger-than-usual implementation of 100,100 iterations of its password-based key derivation function, but a Verge staff member used the link contained on the company’s blog to verify the old version. I checked my account and it was set to his 5,000 iterations.

Perhaps more concerning is the unencrypted data, which, given that it contains URLs, would allow a hacker to find out which website you have an account on. Combined with phishing and other types of attacks, it can be powerful information if you decide to target your users.

If I were a LastPass customer, I wouldn’t be happy with the way the company disclosed this information.

None of this is great news, but in theory, it could happen to companies that store sensitive information in the cloud. In cybersecurity, the name of the game he does not have a 100% flawless track record. It’s how you respond when disaster strikes.

And this is where LastPass fails completely, in my opinion.

Remember, this announcement was made on December 22nd, three days before Christmas. This is a time when many IT departments are mostly on vacation and people are less likely to pay attention to password manager updates.

(Also, the announcement doesn’t get to the part about the vault being copied until paragraph 5. Also, some information is in bold, but I would expect such a major announcement to be at the top.) I think it makes sense.)

According to LastPass, Vault backups weren’t the first to be compromised in August. Instead, the story is that the attackers used information from that breach to target employees who had access to third-party cloud storage his services. The vault, along with a backup containing basic customer account information and associated metadata, was stored on and copied from one of her cloud storage-accessed volumes. According to LastPass, this includes things like company name, end user name, billing address, email address, phone number, and his IP address that the customer used to access his LastPass service.

According to Toubba, as a result of the first breach, and the second breach that exposed backups, the company added logs to detect future suspicious activity, rebuilt the development environment, rotated credentials, and everything else. They are taking precautionary measures of sorts.

It’s all good and those things should be done. But if I were a LastPass user, I would seriously consider leaving the company at this point. Because we’re looking at one of two scenarios here. The company did not know at the time of announcement that backups, including user vaults, were on cloud storage services. You either detected unusual activity on November 30th, or you know a hacker may have accessed it, and you chose not to let your customers know. Neither look good.

